Moving The Open Web Application Security Project Out Of The Shadows

Are Your Web Applications Safe?

July 24, 2002

By
Rob Reilly

Nearly every news program, talk show and print media headline now
has a security angle. If you are an IT Manager or Executive, you are
probably pulling your hair out trying to secure your Information Technology
systems...especially web applications. You think about firewalls. You
think about hackers and terrorists. You think about your revenues if
someone breaks your web based ordering system. So, while everybody talks
about what to do... who really is doing something? Look to the people on the
Open Web Application Security Project for many of the answers to these solutions.

The Open Web Application Security
Project (OWASP) is a group of devoted volunteers that are
hard at work developing platform independent tools, techniques and
processes that enhance web applications. They are building a
very comprehensive resource regarding security information and ways to
manage potential security threats on web based systems.

Mark Curphey is the founder of the Open Web Application Security
Project--a project he has been working on for a few years now.

"I created and have been moderating the webappsec mailing
list (originally called www-mobile-code) at
http://securityfocus.com since late 1999," Curphey said. From there, he
noted a growing need in the IT community.

"Web application security has been an emerging area
for quite some time and there has been a strong disconnect between
application developers and security consultants. This resulted in a
significant amount of FUD and hype from some vendors who were first
to market with early products and lead users into either a false
sense of security or an artificially heightened sense of concern.
There was no place to go to get un-biased quality information about
the issues and how to deal with them." Curphey illustrated his point
when he talked about one of the OWASP's core documents.

"In the first two weeks since the initial release of our 'Guide To
Building Secure Web Applications and Web Services', we had
over 60,000 downloads. Quite impressive given that it's a 1.7Mb
document. Applications usually receive a lot of attention, but this
goes to show how much people are looking for knowledge, as well as
tools," he said.

The reality of the business world is that there are an infinite
number of hardware, software and platform components that can make up
a Web application. There are multiple vendors, multiple networks and
multiple operating systems thrown into the mix.

Asked about his personal
choice of tools in the battle for Web Application Security, Curphey remarked, "Well I am typing this interview from a Redhat 7.3 box using
my Evolution mail client! Myself and most of the volunteers are huge
Open Source and Linux fans. I banned MS products from my home a
while back, although I do have a work laptop with MS on it."

As far as other tools are concerned, "Part of the OWASP philosophy (and soon to be set down as
principles) is to use Open Source tools and Open Source standards
wherever possible and practical. All software is released under an OSI
compliant license. We are in the process of building out a proper portal for
the web-site which will be a Java based system on Linux," Curphey explained.

"Java and Linux are a
naturally great combination, joining the power and security of two 'best of
breed' technologies," he summarized.

When asked about OWASP's idea of platform independence, Curphey
had a quick response. "We are very conscious of making sure our
work is relevant to all people, irrespective of the platform they build on. The
issues are usually not platform specific anyway." He went on to
talk about Java.

"Most of us are huge Java fans. Java is a flexible language
that enables cross platform development with relative ease and has
an array of great security features. To date all of our development
projects are being coded in Java."

Initial questions about the Open Web Application Security Project focused
on why Curphey started the effort and what tools he used. The next section
outlines the tools, documents, and processes that have been produced by the
OWASP so far.